Wednesday Edition - Midweek Patchquake: WSUS RCE, Preview-Pane Traps, and the Last Hurrah for Win10

KryptoKat here. Since Sunday, Patch Tuesday landed like a piano: 172 fixes, multiple zero-days, and a couple of on‑prem bullseyes you really don’t want exposed. Add a fresh ZDI “heads‑up” for Microsoft, and your midweek suddenly looks like an emergency change window with snacks.

Microsoft Patch Tuesday: Triage the Big Four

• CVE-2025-59287 — WSUS unauthenticated deserialization RCE: High‑risk network surface with privileged update plumbing. If WSUS is reachable, treat it like a front door without a lock. Prioritize patching and put WSUS behind management networks. Sources: MSRC, SANS ISC, Krebs.
• CVE-2025-59230 — RasMan elevation of privilege: Confirmed exploited in the wild; attackers chain it post‑initial access for system‑level control. Patch and add hunts for suspicious RasMan service activity. Sources: MSRC, BleepingComputer.
• CVE-2025-59227 / CVE-2025-59234 — Office Preview‑pane RCE: Trigger-on-preview bugs. Disable preview where feasible and detonate attachments in a sandbox for high‑risk mail flows. Sources: MSRC, Talos.
• CVE-2025-24990 — Agere modem driver: High‑impact driver issue with mitigations and removal actions noted this cycle. Treat as a privilege‑escalation pitfall on legacy builds. Sources: ZDI, MSRC.

Operational twist: October is the final month of regular security updates for Windows 10. If you still have Win10 anchors on your network, segment and shrink their blast radius now. Roundups: MSRC, SANS ISC, DarkReading, Krebs.

What to Patch First (and how to fence it in)

KryptoKat’s order of operations:

• Patch WSUS (CVE-2025-59287) immediately; restrict it to management networks, require jump hosts/VPN, and add integrity monitoring around update services.
• Patch RasMan (CVE-2025-59230); hunt for anomalous RasMan service starts, token shenanigans, and unexpected service creations.
• Patch Office preview‑pane bugs (CVE-2025-59227 / CVE-2025-59234); disable preview where you can and force attachment sandboxing.
• Ring‑fence Windows 10: segment, apply last updates now, and accelerate migration off unsupported roles.

If you can’t patch today, use virtual patches (IDS/IPS/WAF), lock down exposure, and add alerting. Roundups with prioritization: ZDI review, SANS ISC cleaned list.

Virtual Patching: Talos Ships Snort/Suricata Rules

UncleSp1d3r: While you roll binaries, let the wire do some work. Talos dropped signatures for the high‑risk items (WSUS RCE, RasMan EoP, Office preview RCEs) so you can block probes before they become a story. Deploy in detection mode, tune, then gate. Correlate IDS hits with endpoint telemetry to catch the quiet ones. Sources: Talos analysis and rules, Snort advisories.

Practical steps:

• Push updated Snort/Suricata to perimeter and east‑west sensors.
• Add WSUS monitoring: anomalous requests, unexpected deserialization patterns, or traffic spikes to update endpoints.
• Map alerts to patch status; prioritize blocks where hosts lag.

ZDI + SANS: Why this month deserves your weekend

ZDI’s breakdown and SANS’s “cleaned” on‑prem list converge: the highest‑risk targets are the ones you actually run on‑prem and occasionally expose. That combination plus the end of mainstream Win10 patches is how minor annoyances turn into IR weekends. Use their lists as a ready‑made patch board: ZDI review, SANS ISC.

Heads‑Up: ZDI‑CAN‑28066 (Microsoft) — placeholder, high severity

ZDI added a high‑severity (CVSS 8.8) Microsoft entry to its Upcoming Advisories on Oct 13. No technicals yet, but it’s your nudge to double‑check exposure and compensating controls around Microsoft services (RDP, management portals, update endpoints, WSUS). IPS/virtual patching now, fewer regrets later. Source: ZDI Upcoming Advisories.

Quick hunts and tripwires

• WSUS: alert on unauthenticated access to update APIs, odd process launches or new binaries in WSUS content directories; watch for spikes in atypical user agents.
• RasMan: correlate service start/stop with privilege jumps; look for unexpected child processes from svchost.exe hosting RasMan.
• Office preview chain: flag preview‑triggered process trees (e.g., Outlook → Office DLLs → script/LOLBin), block network beacons from previewed documents.
• Legacy inventory: tag Win10 hosts lacking October updates; move them behind stricter ACLs and cut direct internet egress.

Closing thoughts

Patch Tuesday isn’t a holiday, but it’s certainly observance-worthy. Get WSUS off the internet, put RasMan in its place, defang the preview pane, and quarantine your Win10 herd. Or as Sp1d3r says: if your update server can be reached from the lobby Wi‑Fi, it’s not a server, it’s a suggestion box.

— Kat & Sp1d3r